fix: case-insensitive Bearer token scheme matching#2387
Merged
Conversation
📝 WalkthroughSummary by CodeRabbit
WalkthroughThe pull request refactors the bearer token extraction regex in the API authentication handler and adds a corresponding test. The regex pattern was simplified from an explicit case enumeration Comment |
cstockton
changed the title
RFC 7235 §2.1 requires HTTP auth scheme names to be case-insensitive. The current regex only accepts "Bearer" and "bearer", rejecting spec-compliant variants like "BEARER".
Change bearerRegexp to use (?i) flag so all capitalizations of "bearer" are accepted, as required by the HTTP authentication framework spec.
cstockton
force-pushed
the
or/bearer_ci
branch
from
e1f399f to
7fbce5e
Compare
Contributor
|
Looks good 👍 - my force push was rebase reword on commit prefix |
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
Actionable comments posted: 1
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Inline comments:
In `@internal/api/auth_test.go`:
- Around line 62-84: The test TestExtractBearerTokenCaseInsensitive uses a
JWT-like hardcoded string in the variable token which is flagged as a potential
secret; update the token used in that test (and any other tests using similar
values) to a clearly fake value (e.g., "fake-token-value" or "token1234") that
contains no dot-separated JWT pattern but still has no spaces, or replace it
with a shared constant like testFakeToken and use that in the call to
a.extractBearerToken(req) to avoid gitleaks false positives while preserving
test semantics.
ℹ️ Review info
Configuration used: Central YAML (base), Organization UI (inherited)
Review profile: CHILL
Plan: Pro
Cache: Disabled due to Reviews > Disable Cache setting
Disabled knowledge base sources:
- Linear integration is disabled
You can enable these sources in your CodeRabbit configuration.
📒 Files selected for processing (2)
internal/api/api.gointernal/api/auth_test.go
cstockton
approved these changes
Feb 23, 2026
cstockton
pushed a commit
that referenced
this pull request
Feb 24, 2026
🤖 I have created a release *beep* *boop* --- ## [2.187.0](v2.186.0...v2.187.0) (2026-02-23) ### Features * add metadata field to all hooks ([#2365](#2365)) ([c675749](c675749)) * check current password on change ([#2364](#2364)) ([33b87ae](33b87ae)) * **indexworker:** add max users threshold for rollout ([#2374](#2374)) ([a2066c6](a2066c6)) * **metrics:** added a gauge with version information ([#2375](#2375)) ([911ad0b](911ad0b)) * support custom oauth & oidc providers ([#2357](#2357)) ([53021f6](53021f6)) ### Bug Fixes * case-insensitive Bearer token scheme matching ([#2387](#2387)) ([36d712d](36d712d)) * correctly parse JWT ValidMethods from env by enabling split_words ([#2334](#2334)) ([a6076bc](a6076bc)) * flaky index worker test ([#2366](#2366)) ([961a7e6](961a7e6)) * **hooks:** propagate error objects from hook calls ([#2380](#2380)) ([3ca1e88](3ca1e88)) * session upgrade percentage should be based on session, not request ([#2371](#2371)) ([510e68b](510e68b)) --- This PR was generated with [Release Please](https://github.com/googleapis/release-please). See [documentation](https://github.com/googleapis/release-please#release-please). Co-authored-by: supabase-releaser[bot] <223506987+supabase-releaser[bot]@users.noreply.github.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
fix: case-insensitive Bearer token scheme matching
bearerRegexponly acceptedBearerandbearerRFC 7235 §2.1 requires auth scheme names to be case-insensitive.
Changed the regex to use the
(?i)flag so all capitalizations (e.g.BEARER) are accepted.Test plan
TestExtractBearerTokenCaseInsensitivecoveringBearer,bearer,BEARER,bEaReR,BeArEr